Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Risk Assessment of Making BYOD Decisions

Ben Holt
March 02, 2016

Risk Assessment of Making BYOD Decisions

Employees are using their own devices in the work place and asking to connect them to the company network. We look at the risks and implementation details of BYOD from a legal perspective in 2016.

Ben Holt

March 02, 2016
Tweet

More Decks by Ben Holt

Other Decks in Business

Transcript

  1. Risk Assessment of Making BYOD* Decisions Wednesday, 2016-03-02 • Salt

    Lake City 1 Ben Holt Stoel Rives LLP Wednesday, 2016-03-02 • Salt Lake City Risk Assessment of Making BYOD* Decisions *Bring Your Own Device
  2. Risk Assessment of Making BYOD* Decisions Wednesday, 2016-03-02 • Salt

    Lake City 4 The Problem There is greater focus… …but, still poor results. 55% of Audit Committees think more agenda time should be devoted to cybersecurity 88% of Boards say that their strategic risk register includes a cybersecurity risk category TOP CONCERNS FOR AUDIT COMMITTEES 1. Gov., Processes, Controls and Risk 2. Management 3. IT Risk and Emerging Technologies 4. Uncertainty 5. Information Privacy/Security/Cyber Average # of exposed or compromised records in US data breach FTSE 350 Cyber Governance Health Check HM Government (U.K.) Reported losses ($US Billions) by US companies from unauthorized use of computers by employees in 2014. Average Cost ($US Millions) of an organizational data breach “Is Governance Keeping Pace?” KPMG 2015 Data Breach Industry Forecast Experian 2015 Cost of a Data Breach Study: Global Analysis IBM – Ponemon Institute U.S. Dept. of Health and Human Services 29,087 $6.53 $40 2015 Global Audit Committee Survey KPMG’s Audit Committee Institute
  3. Risk Assessment of Making BYOD* Decisions Wednesday, 2016-03-02 • Salt

    Lake City 5 BYOD • According to Forrest Research, 48% of employees will buy their own device – whether their organization approves or not. • 50% of US Employers Will Stop Providing Devices in 2017 • Employees are using their own devices in the work place and asking to connect them to the company network – this trend is known as Bring Your Own Device (BYOD). Pepper Hamilton – BYOD – Liability and Data Breach Sold Separately - 2013
  4. Risk Assessment of Making BYOD* Decisions Wednesday, 2016-03-02 • Salt

    Lake City 6 State of the BYOD • 63% of employees use mobile devices to access workplace data, including sensitive regulated data. • •Despite the risk, 67% of organizations have no special policy in place to monitor employees with access to regulated data. • •Only 52% of mobile devices with access to regulated data have adequate security. Pepper Hamilton – BYOD – Liability and Data Breach Sold Separately - 2013
  5. Risk Assessment of Making BYOD* Decisions Wednesday, 2016-03-02 • Salt

    Lake City 7 Benefits of BYOD • Company Avoids Owning Hardware and Ongoing Contracts • User Gets a Choice • Productivity/Reactivity • Equipment Goes With Employee – Company Data is Wiped Upon Departure
  6. Risk Assessment of Making BYOD* Decisions Wednesday, 2016-03-02 • Salt

    Lake City 8 Challenges of BYOD • Security is Difficult to Control With User Devices • Work-Life Balance • Policies are Lagging Behind Reality • Discovery Boundaries • Privacy Boundaries
  7. Risk Assessment of Making BYOD* Decisions Wednesday, 2016-03-02 • Salt

    Lake City 10 What is a Device That Qualifies?
  8. Risk Assessment of Making BYOD* Decisions Wednesday, 2016-03-02 • Salt

    Lake City 11 Mobile Device Classification Category 1: Category 2: Category 3: Category 4: CSX: Securing Mobile Devices, ISACA, 2012
  9. Risk Assessment of Making BYOD* Decisions Wednesday, 2016-03-02 • Salt

    Lake City 12 Heatmap of Risk CSX: Securing Mobile Devices, ISACA, 2012
  10. Risk Assessment of Making BYOD* Decisions Wednesday, 2016-03-02 • Salt

    Lake City 13 Steps to BYOD Risk Analysis (and Implementation) 1. Define the Data Access and the Risk Associated with Each Data Access 2. Refine Confidentiality for Each Data Access 3. Look for Balance of Data Security with Right to Privacy 4. Review Ownership and Cost Issues 5. Enable Meshing With Other Policies 6. Prepare Training and Buy-In
  11. Risk Assessment of Making BYOD* Decisions Wednesday, 2016-03-02 • Salt

    Lake City 15 Who Is Eligible for Data Access? • Careful of Hourly – Blurs The Overtime Line (Personal and Business on One Device) • Usually by Job Function • Where Do You Draw the Trust Line?
  12. Risk Assessment of Making BYOD* Decisions Wednesday, 2016-03-02 • Salt

    Lake City 16 Define the Data Access • What Data Do They Want? • What Data Can They Access? • Is it a Need? • What is the Productivity Gain? • What is the Risk of Loss? • What Data Can We Secure? • What Data Can We Partition?
  13. Risk Assessment of Making BYOD* Decisions Wednesday, 2016-03-02 • Salt

    Lake City 17 Example: Email • Want/Need • Exchange Email Data Can be Remotely Managed • Productivity Gain: Large • Risk of Loss: Breach Notification Laws • Email Data Can be Encrypted • Mobile Device Manager Can Enforce Partition and Security
  14. Risk Assessment of Making BYOD* Decisions Wednesday, 2016-03-02 • Salt

    Lake City 18 Example: Text Messaging • Want • Cannot Be Managed for iPhone (but can for Android/Blackberry) • Productivity Gain: Marginal • Risk of Loss: Breach Notification • Can Be Encrypted – Not in Transit • Cannot Be Partitioned Well (All or Nothing) • Alternate: Corporate IM Applications
  15. Risk Assessment of Making BYOD* Decisions Wednesday, 2016-03-02 • Salt

    Lake City 19 Data to Consider in BYOD Corporate Intellectual Property, Research, Development, Merger, Acquisitions, Divestiture, Trade secrets Customer Patient, Benefits, Financial, Health Employee Third Party Data Category A critical organizational need is to identify what data is sensitive and critical to each stakeholder in the information lifecycle. This categorization of data helps drive a risk-based agenda and meaningful investment. Attorney-Client Human Resources, Payroll, Health, Benefits, Performance Reviews Commercial Agreements, Rate Cards, Hosted Data, Managed Data Lawsuit, Arbitration, Privileged Communications
  16. Risk Assessment of Making BYOD* Decisions Wednesday, 2016-03-02 • Salt

    Lake City 21 Defining Confidentiality • Is the Data Access “Need to Know” • What Laws are Triggered by Employee Access and/or Processing of the Data? • What Reporting Procedures are Needed? • What are Unintended Consequences of Remote Wipe? • Synergy with Document Retention/Destruction • Actually Implementable (Waiver of Safe-Harbor Defenses)
  17. Risk Assessment of Making BYOD* Decisions Wednesday, 2016-03-02 • Salt

    Lake City 22 Example: Email • Need to Know – Yes • Potential Laws – Europe, HIPAA, SEC, Sarbanes-Oxley • Reporting – European Data Protection Comm., SEC, HIPAA, Data Breach Notif. • Remote Wipe – Health, Pictures, Notes • Retention/Destruction – Same as Desktop • Implementable – Same as Desktop
  18. Risk Assessment of Making BYOD* Decisions Wednesday, 2016-03-02 • Salt

    Lake City 23 3. BALANCING SECURITY WITH PRIVACY
  19. Risk Assessment of Making BYOD* Decisions Wednesday, 2016-03-02 • Salt

    Lake City 24 Employer Security vs. Employee Privacy • Clumsy Handling of Employee Devices – Embarrassment and/or Potential Claims • Define What Is Monitored and/or Accessed – Demonstrate Unambiguous Consent • Train on the Management Software – Understands Use -> Informed Consent – Informed of Right to Revoke Consent and Consequences
  20. Risk Assessment of Making BYOD* Decisions Wednesday, 2016-03-02 • Salt

    Lake City 26 What Is and Is Not Covered • Clearly Define Incentives – Funding Data Plans, Insurance, Subsidizing Price • Clearly Define Company Non-Liability for What Employee Does With Device • Define Difference Between Personal and Business Use of Device and Payment • Tax Advice for Benefit in Kind
  21. Risk Assessment of Making BYOD* Decisions Wednesday, 2016-03-02 • Salt

    Lake City 27 Anticipate the Life Cycle • Procedures for Loss – When to Report (Hours/Days) • Sale of Device – Demand Device for Scrub Before Sale • Procedures for Termination – Right to Buy Device • Retiring a Device – Scrub Device Before Retirement • Repair
  22. Risk Assessment of Making BYOD* Decisions Wednesday, 2016-03-02 • Salt

    Lake City 28 Anticipate the Use • Who Can be Given the Passcode? – Wife, Kids, Which Repair Shop, IT, Nobody • Who Can Use the Device? – Electronic Babysitter • Mixed Use – Confidential Photos on Shared Photostream • Backups – Where Allowed, When Destruction
  23. Risk Assessment of Making BYOD* Decisions Wednesday, 2016-03-02 • Salt

    Lake City 29 5. ENABLE MESHING WITH OTHER POLICIES
  24. Risk Assessment of Making BYOD* Decisions Wednesday, 2016-03-02 • Salt

    Lake City 30 Integrate with Other Policies • Establish the Standard-of-Care - Together • Same Retention Periods • Same Destruction Procedures • Litigation Holds • Information Security • Acceptable Internet Use • Social Media • Harassment/Discrimination
  25. Risk Assessment of Making BYOD* Decisions Wednesday, 2016-03-02 • Salt

    Lake City 31 6. PREPARE EMPLOYEE TRAINING AND BUY-IN
  26. Risk Assessment of Making BYOD* Decisions Wednesday, 2016-03-02 • Salt

    Lake City 32 Inform, Teach, Consent, Enforce • Provide Copy of Policy • Receive Training on Policy • Sign Express Authorizations for: – Monitoring – Remote Wipe – Disable • Clear, Written and Enforced!
  27. Risk Assessment of Making BYOD* Decisions Wednesday, 2016-03-02 • Salt

    Lake City 34 Employee Risks • Theft by Employee is Easier • Decreased Security – Which Thumbprints Authorized (Roommate) • Hacking – Applications Installed by Employees – Visiting Out of Country • Adverse Party With Device • Illegal Behavior: Driving, Illicit Materials
  28. Risk Assessment of Making BYOD* Decisions Wednesday, 2016-03-02 • Salt

    Lake City 35 Discovery • Sequestering Personal vs. Company Data • Surrender of Personal Data • Imaging Without Personal Data • Obtaining Physical Access to Device • It Appears that Policies Govern Employee’s Right to Privacy to the Extent They are Enforced – For Employer Provided Device (Likely Same for BYOD) Quon v. City of Ontario (560 US 746 (2010)
  29. Risk Assessment of Making BYOD* Decisions Wednesday, 2016-03-02 • Salt

    Lake City 36 Hacking • Failure to Adhere to Minimum Standards – Not Adequately Secure Data • Leakage of Data by Virus or App (Check- In) • Jailbroken Phones
  30. Risk Assessment of Making BYOD* Decisions Wednesday, 2016-03-02 • Salt

    Lake City 38 Consider These Definitions: • Acceptable Use • Purposes of Device and Data for Business • Allowable Technologies (Jailbreak!) • Network Access • Restrictions
  31. Risk Assessment of Making BYOD* Decisions Wednesday, 2016-03-02 • Salt

    Lake City 39 Consider These Terms: • Security Measures • When Monitoring and Procedures for it • Ownership of Device • Contract Responsibility • Data Responsibility • Ownership of Business Software on Device • Termination Procedures Relating to Device • Disciplinary Action for Violation
  32. Risk Assessment of Making BYOD* Decisions Wednesday, 2016-03-02 • Salt

    Lake City 40 Consider Consent For: • Employer Access • Backup • Audit • Monitoring of Device • Monitoring of Types of Data – List Types of Data
  33. Risk Assessment of Making BYOD* Decisions Wednesday, 2016-03-02 • Salt

    Lake City 42 From Policy to Device Mobile Device (Accountability on User) Managed by User Unknown / Partial App Set Mobile Device Manager (Reduce Management Overhead) Minimum Requirements and Opt-In Rules Management Permissions Information Security Policy Policy and Standard Mobile Device Policy
  34. Risk Assessment of Making BYOD* Decisions Wednesday, 2016-03-02 • Salt

    Lake City 43 References • For an IT Perspective: – CSX: Securing Mobile Devices, ISACA, 2012 • For Policy Language: – Fedeles, Sherer, Selby - Bloomberg BNA: Privacy & Data Security Law Resource Center – BYOD Policies, 2016 • For an Employment Perspective: – Klein, Diamond, Kagan, BYOD (Bring Your Own Device)…Liability and Data Breach Sold Separately, Pepper Hamilton LLP, 2013 • For a Litigation Perspective: – Hinkes, BYOD Policies: A Litigation Perspective, American Bar Association, 2014 • For a Pessimistic Overview of the Legal Landscape – Avoiding BYOD Legal Issues, Route1 Inc., Sept. 2013 • For a Fit of the BYOD in With Other IT Trends – Rainbow, IT Trends and Future Considerations, Moss Adams LLP, (Date Unknown)